US7493659B1 - Network intrusion detection and analysis system and method - Google Patents

Network intrusion detection and analysis system and method Download PDF

Info

Publication number
US7493659B1
US7493659B1 US10/091,645 US9164502A US7493659B1 US 7493659 B1 US7493659 B1 US 7493659B1 US 9164502 A US9164502 A US 9164502A US 7493659 B1 US7493659 B1 US 7493659B1
Authority
US
United States
Prior art keywords
intrusion detection
monitoring device
network
data monitoring
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US10/091,645
Inventor
Handong Wu
Jerome Freedman
Christopher J. Ivory
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
McAfee LLC
Original Assignee
McAfee LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US10/091,645 priority Critical patent/US7493659B1/en
Assigned to NETWORKS ASSOCIATES TECHNOLOGY, INC. reassignment NETWORKS ASSOCIATES TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WU, HANDONG, IVORY, CHRISTOPHER J., FREEDMAN, JEROME
Application filed by McAfee LLC filed Critical McAfee LLC
Assigned to MCAFEE, INC. reassignment MCAFEE, INC. MERGER (SEE DOCUMENT FOR DETAILS). Assignors: NETWORKS ASSOCIATES TECHNOLOGY, INC.
Application granted granted Critical
Publication of US7493659B1 publication Critical patent/US7493659B1/en
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC CHANGE OF NAME AND ENTITY CONVERSION Assignors: MCAFEE, INC.
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786 Assignors: JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676 Assignors: MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: MCAFEE, LLC
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present invention relates generally to communication systems, and more particularly, to a network intrusion detection and analysis system and method.
  • Intrusion detection system is an intrusion detection system (IDS).
  • IDS intrusion detection system
  • Intrusion detection allows organizations to protect their systems from threats that come with increasing network connectivity and reliance on information systems.
  • Intrusion detection systems include software or hardware systems that automate the process of monitoring events occurring in a computer system or network, and analyzing them for signs of security problems. Intruders attempt to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. These include, for example, unauthorized users, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given to them.
  • Intrusion detection technology is therefore, a necessary addition to every large organization's computer network security infrastructure.
  • Network based intrusion detection systems provide network surveillance by analyzing packet data streams within the network, searching for unauthorized activity, such as attacks by hackers, and enabling users to respond to security breaches before systems are compromised.
  • network intrusion detection systems analyze individual packets flowing through a network and can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules.
  • Network intrusion detection systems may also be configured to look at the payload within a packet to see which particular web server program is being accessed and with what options, and to raise alerts when an attacker tries to exploit a bug in such code.
  • the intrusion detection system can send alarms to a management console or system administrator with details of the activity and may also direct other systems to cut off the unauthorized sessions.
  • Network intrusion detection systems may be signature based, anomaly based, or a combination of both.
  • the signature based intrusion detection system analyzes information it gathers and compares it to a large database of attack signatures. The system looks for a specific attack that has already been documented.
  • a system administrator defines the baseline, or normal state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.
  • Conventional network intrusion detection devices are challenged with accurately detecting various intrusions hidden in ever increasing high-speed network traffic packets, either via intrusion signature matching or network traffic anomaly discovery approaches.
  • the system includes a data monitoring device comprising a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data.
  • the system further includes an intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device.
  • Application program interfaces are provided and configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion to detection.
  • the system also includes memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred.
  • the reference network information may comprise a signature database including signature profiles associated with a known network security violation.
  • the detection engine is operable to compare the data provided by the data monitoring device with the signature profiles to detect network intrusions.
  • the reference network information may also comprise a baseline state of network traffic.
  • the detection engine is operable to compare the data received by the capture engine to the baseline network state and look for anomalies.
  • a method of the present invention for performing intrusion detection with the intrusion detection and analysis system generally comprises receiving data at the data monitoring device and capturing at least a portion of the packets contained within the data.
  • An application program interface configured to open applications of the data monitoring device is called and intrusion detection is performed at the intrusion detection device utilizing at least one of the applications of the data monitoring device.
  • a computer program product for performing intrusion detection with the intrusion detection and analysis system generally comprises code that receives data at the data monitoring device and captures at least a portion of the packets contained within the data.
  • the product further includes code that calls an application program interface configured to open applications of the data monitoring device and performs intrusion detection at the intrusion detection device utilizing at least one of the applications of the data monitoring device.
  • a computer-readable storage medium is provided for storing the codes.
  • FIG. 1 is a block diagram illustrating a network intrusion detection and analysis system of the present invention.
  • FIG. 2 is a diagram illustrating an example of network system containing network intrusion detection and analysis systems of the present invention.
  • FIG. 3 is a block diagram illustrating details of the network intrusion detection and analysis system of the present invention.
  • FIG. 4 is an example of a packet flow diagram for the network intrusion detection and analysis system of the present invention.
  • FIG. 5 is a diagram illustrating a computer system that may be used to execute software of this invention.
  • the present invention provides an intrusion detection device 14 in combination with a network analysis and data monitoring device 16 configured to perform fault and network performance management. As further described below, the system uses packet capturing and processing to perform both network analysis functions and signature matching or anomaly recognition for intrusion detection.
  • the network analysis device is configured to provide network monitoring, protocol decoding, and analysis capabilities.
  • the network analysis device may be, for example, a system such as SNIFFERTM, available from Sniffer Technologies, a Network Associates Company.
  • the combination of an intrusion detection device and a network analysis device allows for efficient detection of intrusions in high-speed network traffic since the functionality of system components can be used to perform dual simultaneous functions, or one function at a time.
  • the present invention operates in the context of a data communication network including multiple network elements.
  • the network may be wireless, frame relay, T1 links, Gigabit Ethernet Local Area Networks (LANs), packet over SONET, Wide Area Networks (WANs), or Asynchronous Transfer Mode (ATM), for example.
  • FIG. 2 illustrates an exemplary network incorporating intrusion detection and analysis systems 18 of the present invention.
  • the network intrusion detection and analysis system (NIDAS) 18 may be placed at key points throughout the network.
  • the units monitor network traffic, perform local analysis of the traffic, and report attacks to a central management station (e.g., system administrator).
  • a central management station e.g., system administrator
  • the network intrusion detection and analysis systems 18 are preferably placed on the network perimeter including both sides of a firewall 20 (e.g., between router 22 and the Internet), near a web server 26 , and on links to internal or partner networks (e.g., between router 28 and internal corporate network 24 ).
  • NIDAS 1 monitors all traffic passing into and out of the internal network.
  • NIDAS 1 provides an early warning since it detects reconnaissance port scans that typically indicate the start of hacker activity. From this point, NIDAS 1 can document the number and types of attacks originating on the Internet that target the network.
  • NIDAS 2 monitors traffic that has passed through the firewall 20 .
  • NIDAS 3 monitors traffic passing into and out of internal corporate LAN 24 . It is to be understood that the network of FIG.
  • NIDSs are only one example illustrating placement of NIDSs within a network and that the present invention may be used on different types of networks and placed in various locations throughout the network. For example, some devices may be used as traditional data monitoring and analysis devices while other devices may be used as intrusion detection devices. Furthermore, it is to be understood that the system of the present invention may also be used in networks which are not connected to the Internet and may be used, for example, in intranets or any other type of network.
  • the network intrusion detection and analysis system 18 preferably provides both signature matching and anomaly detection. However, the system may be configured to perform only one type of detection. As further described below, the signature based intrusion detection system performs packet capturing, protocol decoding, signature matching, and alert/alarm generation and report.
  • the anomaly based intrusion detection system includes packet capturing, protocol decoding, network statistics gathering, abnormality discovering, and alert/alarm generation and reporting. Functions such as packet capturing, protocol decoding, network statistics gathering, network traffic diagnosis, and alert/alarm generation and reporting are provided by the network analysis device. These applications are leveraged by the intrusion detection system to provide an efficient network intrusion detection system which may be provided in combination with network analysis and management.
  • FIG. 3 shows a block diagram illustrating details of the intrusion detection and analysis system 18 of the present invention.
  • the system includes a network analysis application 30 , capture engine 32 , detect engine 34 , log file 36 , parser 38 , rules database 40 , and signature database 42 .
  • the analysis application 30 provides network analysis and management capabilities. For example, the network analysis application 30 may detect broken lines and heavy workloads, identify network errors, and analyze traffic load. The analysis application 30 may also be used to perform anomaly intrusion detection.
  • the analysis application 30 preferably constructs profiles representing normal behavior of users, hosts, or network connections. These profiles are constructed from historical data collected over a period of normal operation. The application then collects event data and uses a variety of measures to determine when monitored activity deviates from the normal baseline.
  • the application 30 may use threshold detection or statistical measures, for example.
  • the analysis application 30 receives packets from capture engine 32 .
  • the capture engine 32 receives packets from the network and forwards the packets to the analysis application 30 for higher level analysis.
  • the capture engine 32 may also save packets for later analysis if the engine cannot process all the packets passing through the network.
  • the parser 38 is coupled to the network analysis application 30 , detection rules database 40 , and signature database 42 .
  • An initialization routine is called in the analysis application 30 to parse the signatures and detection rules and set up other internal data structures.
  • the signatures are provided to the parser 38 which generates code to be used by detect engine 34 .
  • the detect engine 34 analyzes the packets to see if there is an intrusion embedded in the packet.
  • Information on detected intrusions is sent to the log file 36 , which is available, for example, to a system administrator.
  • the log file 36 may also include an application that generates alarms for the system administrator.
  • the log file 36 may generate routine reports and other detailed information.
  • a report may contain, for example, system events and intrusions detected over a reporting period.
  • the system may use both active and passive measures when an intrusion is detected. Active measures may involve some automated intervention on part of the system to disconnect or counterattack intruders. The passive measures involve reporting intrusion detection system findings to a system administrator, security officer, or other personnel, who can then take action based on the reports.
  • the rules may be in the format of SNORT (an Open Source Network Intrusion Detection System), for example.
  • SNORT an Open Source Network Intrusion Detection System
  • the packet may be passed, logged, or generate an alert.
  • the pass rules drop the packet.
  • Log rules write the full packet to the logging routine that was selected by a system administrator.
  • Alert rules generate an event notification using the method specified by the system administrator, and then log the full packet using the selected logging mechanism to enable later analysis.
  • Pattern matching may be performed using various algorithms, as is well known by those skilled in the art. Rules may also be used to limit the amount of data that has to be searched. For example, many buffer overflows use variable offsets to tune the size and placement of the exploit machine code. Web CGI probes and attacks generally all take place at the beginning of the packet within the first thirty or fifty bytes.
  • APIs 48 are used to open applications of the network analysis device 16 ( FIGS. 1 and 3 ).
  • the APIs 48 are used to parse, generate and load signatures, invoke corresponding signature detection methods from appropriate protocol contexts, access states required for stateful intrusion detection, and access alerts/alarms management facilities.
  • the APIs may be of the form frame_context_pointer_position, and include, for example:
  • FIG. 4 illustrates packet flow through the network intrusion detection and analysis system 18 .
  • the system preferably receives raw network packets and uses a network adaptor that listens and analyzes all traffic in real-time as it travels across the network.
  • the packets are received at receiving port (RX) 50 at the MAC (Medium Access Control) layer 52 .
  • the packets then pass through IP fragment and CRC (Cyclic Redundancy Checking) 54 .
  • a statistics filter 56 filters out unwanted packets.
  • the filter 56 determines which data to examine more closely and screens out all other network traffic. Filter 56 improves system performance by allowing known nonmalicious traffic to be filtered out.
  • Network statistics are then collected at a statistics collection application 58 .
  • a trigger 60 is used to trigger the capture engine 32 to capture packets at 62 .
  • the packets are either analyzed in real time or temporarily stored for later analysis. Data may be captured, for example, at a buffer at the full-line rate for a short duration, with subsequent analysis of the buffered data at a slower pace.
  • Protocol decoding 64 is provided to decode a wide range of protocols covering all of the Open System Interconnection (OSI) layers to provide detailed data and analysis. Detailed decoding allows visibility into the network regardless of the speed or topology.
  • the packets may be grouped into different protocol presentations and the packets assembled into high level protocol groups for analysis. Signature matching 66 is then performed to detect network intrusion. Any problems detected are sent to an alert log 68 and appropriate action is taken.
  • OSI Open System Interconnection
  • FIG. 5 shows a system block diagram of a computer system, generally indicated at 70 , that may be used within the network to execute software of an embodiment of the invention.
  • the computer system may include subsystems such as a central processor 80 , system memory 82 , removable storage 86 (e.g., CD-ROM drive), and a hard drive 84 which can be utilized to store and retrieve software programs incorporating computer code that implements aspects of the invention, data for use with the invention, and the like.
  • the computer readable storage may also include tape, flash memory, or system memory.
  • a data signal embodied in a carrier wave (e.g., in a network including the Internet) may be the computer readable storage medium.
  • the computer system 70 may further include a display screen, keyboard, and mouse which may include one or more buttons for interacting with a GUI (Graphical User Interface).
  • GUI Graphic User Interface
  • Other computer systems suitable for use with the invention may include additional or fewer subsystems.
  • the computer system 70 may include more than one processor 80 (i.e., a multi-processor system) or a cache memory.
  • the system bus architecture of the computer system 70 is represented by arrows 88 in FIG. 5 .
  • arrows 88 are only illustrative of one possible interconnection scheme serving to link the subsystems.
  • a local bus may be utilized to connect the central processor 80 to the system memory 82 .
  • the components shown and described herein are those typically found in most general and special purpose computers and are intended to be representative of this broad category of data processors.
  • the computer system 70 shown in FIG. 5 is only one example of a computer system suitable for use with the invention. Other computer architectures having different configurations of subsystems may also be utilized.
  • the computer may include an input/output circuit used to communicate information in appropriately structured form to and from the parts of computer and associated equipment. Connected to the input/output circuit are inside and outside high speed Local Area Network interfaces 90 , for example.
  • the inside interface may be connected to a private network, while the outside interface may be connected to an external network such as the Internet.
  • each of these interfaces includes a plurality of ports appropriate for communication with the appropriate media, and associated logic, and in some instances memory.
  • system and method of the present invention provide numerous advantages.
  • the system and method of the present invention reduces downtime caused by undetected attacks, resulting in greater availability of systems to conduct internal operations and complete transactions over the Internet or other communication network.

Abstract

An intrusion detection and analysis system and method are disclosed. The system includes a data monitoring device comprising a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data. The system further includes an intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device. Application program interfaces are provided and configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection. The system also includes memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred.

Description

BACKGROUND OF THE INVENTION
The present invention relates generally to communication systems, and more particularly, to a network intrusion detection and analysis system and method.
The explosion of the Internet allows companies and individuals real time access to vast amounts of information. As Internet access costs have decreased, corporations are increasingly using the Internet for corporate data and communications. The many advantages of the Internet, such as cost and flexibility are heavily impacted by security risks. Security is increasingly becoming a critical issue in enterprise and service-provider networks as usage of public networks for data transport increases and new business applications such as e-commerce sites are deployed. Security measures are required, for example, to prevent hackers from gaining unauthorized access to a corporations information resources or shutting down an e-commerce web site via a distributed denial of service attack. Corporations continue to deploy firewalls to prevent unauthorized users from entering their networks. However, corporations are looking to additional security technologies to protect their system's vulnerability that firewalls alone cannot address.
One of these additional security measures is an intrusion detection system (IDS). As network attacks have increased in number and severity, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations. Intrusion detection allows organizations to protect their systems from threats that come with increasing network connectivity and reliance on information systems. Intrusion detection systems include software or hardware systems that automate the process of monitoring events occurring in a computer system or network, and analyzing them for signs of security problems. Intruders attempt to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. These include, for example, unauthorized users, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given to them. Intrusion detection technology is therefore, a necessary addition to every large organization's computer network security infrastructure.
Network based intrusion detection systems (NIDSs) provide network surveillance by analyzing packet data streams within the network, searching for unauthorized activity, such as attacks by hackers, and enabling users to respond to security breaches before systems are compromised. Typically, network intrusion detection systems analyze individual packets flowing through a network and can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. Network intrusion detection systems may also be configured to look at the payload within a packet to see which particular web server program is being accessed and with what options, and to raise alerts when an attacker tries to exploit a bug in such code. When unauthorized activity is detected, the intrusion detection system can send alarms to a management console or system administrator with details of the activity and may also direct other systems to cut off the unauthorized sessions.
Network intrusion detection systems may be signature based, anomaly based, or a combination of both. The signature based intrusion detection system analyzes information it gathers and compares it to a large database of attack signatures. The system looks for a specific attack that has already been documented. In the anomaly based system, a system administrator defines the baseline, or normal state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies. Conventional network intrusion detection devices are challenged with accurately detecting various intrusions hidden in ever increasing high-speed network traffic packets, either via intrusion signature matching or network traffic anomaly discovery approaches.
SUMMARY OF THE INVENTION
An intrusion detection and analysis system and method are disclosed. The system includes a data monitoring device comprising a capture engine operable to capture data passing through the network and configured to monitor network traffic, decode protocols, and analyze received data. The system further includes an intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device. Application program interfaces are provided and configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion to detection. The system also includes memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred.
The reference network information may comprise a signature database including signature profiles associated with a known network security violation. The detection engine is operable to compare the data provided by the data monitoring device with the signature profiles to detect network intrusions. The reference network information may also comprise a baseline state of network traffic. The detection engine is operable to compare the data received by the capture engine to the baseline network state and look for anomalies.
A method of the present invention for performing intrusion detection with the intrusion detection and analysis system generally comprises receiving data at the data monitoring device and capturing at least a portion of the packets contained within the data. An application program interface configured to open applications of the data monitoring device is called and intrusion detection is performed at the intrusion detection device utilizing at least one of the applications of the data monitoring device.
In another aspect of the invention, a computer program product for performing intrusion detection with the intrusion detection and analysis system generally comprises code that receives data at the data monitoring device and captures at least a portion of the packets contained within the data. The product further includes code that calls an application program interface configured to open applications of the data monitoring device and performs intrusion detection at the intrusion detection device utilizing at least one of the applications of the data monitoring device. A computer-readable storage medium is provided for storing the codes.
The above is a brief description of some deficiencies in the prior art and advantages of the present invention. Other features, advantages, and embodiments of the invention will be apparent to those skilled in the art from the following description, drawings, and claims.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram illustrating a network intrusion detection and analysis system of the present invention.
FIG. 2 is a diagram illustrating an example of network system containing network intrusion detection and analysis systems of the present invention.
FIG. 3 is a block diagram illustrating details of the network intrusion detection and analysis system of the present invention.
FIG. 4 is an example of a packet flow diagram for the network intrusion detection and analysis system of the present invention.
FIG. 5 is a diagram illustrating a computer system that may be used to execute software of this invention.
Corresponding reference characters indicate corresponding parts throughout the several views of the drawings.
DETAILED DESCRIPTION OF THE INVENTION
The following description is presented to enable one of ordinary skill in the art to make and use the invention. Descriptions of specific embodiments and applications are provided only as examples and various modifications will be readily apparent to those skilled in the art. The general principles described herein may be applied to other embodiments and applications without departing from the scope of the invention. Thus, the present invention is not to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features described herein. For purpose of clarity, details relating to technical material that is known in the technical fields related to the invention have not been described in detail.
Referring now to the drawings, and first to FIG. 1, a network intrusion detection and analysis system of the present invention is shown and generally indicated at 18. The present invention provides an intrusion detection device 14 in combination with a network analysis and data monitoring device 16 configured to perform fault and network performance management. As further described below, the system uses packet capturing and processing to perform both network analysis functions and signature matching or anomaly recognition for intrusion detection. The network analysis device is configured to provide network monitoring, protocol decoding, and analysis capabilities. The network analysis device may be, for example, a system such as SNIFFER™, available from Sniffer Technologies, a Network Associates Company. The combination of an intrusion detection device and a network analysis device allows for efficient detection of intrusions in high-speed network traffic since the functionality of system components can be used to perform dual simultaneous functions, or one function at a time.
The present invention operates in the context of a data communication network including multiple network elements. The network may be wireless, frame relay, T1 links, Gigabit Ethernet Local Area Networks (LANs), packet over SONET, Wide Area Networks (WANs), or Asynchronous Transfer Mode (ATM), for example. FIG. 2 illustrates an exemplary network incorporating intrusion detection and analysis systems 18 of the present invention. The network intrusion detection and analysis system (NIDAS) 18 may be placed at key points throughout the network. The units monitor network traffic, perform local analysis of the traffic, and report attacks to a central management station (e.g., system administrator). The network intrusion detection and analysis systems 18 are preferably placed on the network perimeter including both sides of a firewall 20 (e.g., between router 22 and the Internet), near a web server 26, and on links to internal or partner networks (e.g., between router 28 and internal corporate network 24). For example, NIDAS 1 monitors all traffic passing into and out of the internal network. NIDAS 1 provides an early warning since it detects reconnaissance port scans that typically indicate the start of hacker activity. From this point, NIDAS 1 can document the number and types of attacks originating on the Internet that target the network. NIDAS 2 monitors traffic that has passed through the firewall 20. NIDAS 3 monitors traffic passing into and out of internal corporate LAN 24. It is to be understood that the network of FIG. 2 is only one example illustrating placement of NIDSs within a network and that the present invention may be used on different types of networks and placed in various locations throughout the network. For example, some devices may be used as traditional data monitoring and analysis devices while other devices may be used as intrusion detection devices. Furthermore, it is to be understood that the system of the present invention may also be used in networks which are not connected to the Internet and may be used, for example, in intranets or any other type of network.
The network intrusion detection and analysis system 18 preferably provides both signature matching and anomaly detection. However, the system may be configured to perform only one type of detection. As further described below, the signature based intrusion detection system performs packet capturing, protocol decoding, signature matching, and alert/alarm generation and report. The anomaly based intrusion detection system includes packet capturing, protocol decoding, network statistics gathering, abnormality discovering, and alert/alarm generation and reporting. Functions such as packet capturing, protocol decoding, network statistics gathering, network traffic diagnosis, and alert/alarm generation and reporting are provided by the network analysis device. These applications are leveraged by the intrusion detection system to provide an efficient network intrusion detection system which may be provided in combination with network analysis and management.
FIG. 3 shows a block diagram illustrating details of the intrusion detection and analysis system 18 of the present invention. The system includes a network analysis application 30, capture engine 32, detect engine 34, log file 36, parser 38, rules database 40, and signature database 42. The analysis application 30 provides network analysis and management capabilities. For example, the network analysis application 30 may detect broken lines and heavy workloads, identify network errors, and analyze traffic load. The analysis application 30 may also be used to perform anomaly intrusion detection. The analysis application 30 preferably constructs profiles representing normal behavior of users, hosts, or network connections. These profiles are constructed from historical data collected over a period of normal operation. The application then collects event data and uses a variety of measures to determine when monitored activity deviates from the normal baseline. The application 30 may use threshold detection or statistical measures, for example.
The analysis application 30 receives packets from capture engine 32. The capture engine 32 receives packets from the network and forwards the packets to the analysis application 30 for higher level analysis. The capture engine 32 may also save packets for later analysis if the engine cannot process all the packets passing through the network. The parser 38 is coupled to the network analysis application 30, detection rules database 40, and signature database 42. An initialization routine is called in the analysis application 30 to parse the signatures and detection rules and set up other internal data structures. The signatures are provided to the parser 38 which generates code to be used by detect engine 34. The detect engine 34 analyzes the packets to see if there is an intrusion embedded in the packet. Information on detected intrusions is sent to the log file 36, which is available, for example, to a system administrator. The log file 36 may also include an application that generates alarms for the system administrator. The log file 36 may generate routine reports and other detailed information. A report may contain, for example, system events and intrusions detected over a reporting period. The system may use both active and passive measures when an intrusion is detected. Active measures may involve some automated intervention on part of the system to disconnect or counterattack intruders. The passive measures involve reporting intrusion detection system findings to a system administrator, security officer, or other personnel, who can then take action based on the reports.
The rules may be in the format of SNORT (an Open Source Network Intrusion Detection System), for example. When a packet matches a specified rule pattern, the packet may be passed, logged, or generate an alert. The pass rules drop the packet. Log rules write the full packet to the logging routine that was selected by a system administrator. Alert rules generate an event notification using the method specified by the system administrator, and then log the full packet using the selected logging mechanism to enable later analysis. Pattern matching may be performed using various algorithms, as is well known by those skilled in the art. Rules may also be used to limit the amount of data that has to be searched. For example, many buffer overflows use variable offsets to tune the size and placement of the exploit machine code. Web CGI probes and attacks generally all take place at the beginning of the packet within the first thirty or fifty bytes.
Application program interfaces (APIs) 48 are used to open applications of the network analysis device 16 (FIGS. 1 and 3). The APIs 48 are used to parse, generate and load signatures, invoke corresponding signature detection methods from appropriate protocol contexts, access states required for stateful intrusion detection, and access alerts/alarms management facilities. The APIs may be of the form frame_context_pointer_position, and include, for example:
frame_tcp_bridge
frame_udp_bridge
frame_ip_bridge
frame_http_bridge
FIG. 4 illustrates packet flow through the network intrusion detection and analysis system 18. The system preferably receives raw network packets and uses a network adaptor that listens and analyzes all traffic in real-time as it travels across the network. The packets are received at receiving port (RX) 50 at the MAC (Medium Access Control) layer 52. The packets then pass through IP fragment and CRC (Cyclic Redundancy Checking) 54. A statistics filter 56 filters out unwanted packets. The filter 56 determines which data to examine more closely and screens out all other network traffic. Filter 56 improves system performance by allowing known nonmalicious traffic to be filtered out. Network statistics are then collected at a statistics collection application 58. A trigger 60 is used to trigger the capture engine 32 to capture packets at 62. The packets are either analyzed in real time or temporarily stored for later analysis. Data may be captured, for example, at a buffer at the full-line rate for a short duration, with subsequent analysis of the buffered data at a slower pace. Protocol decoding 64 is provided to decode a wide range of protocols covering all of the Open System Interconnection (OSI) layers to provide detailed data and analysis. Detailed decoding allows visibility into the network regardless of the speed or topology. The packets may be grouped into different protocol presentations and the packets assembled into high level protocol groups for analysis. Signature matching 66 is then performed to detect network intrusion. Any problems detected are sent to an alert log 68 and appropriate action is taken.
FIG. 5 shows a system block diagram of a computer system, generally indicated at 70, that may be used within the network to execute software of an embodiment of the invention. The computer system may include subsystems such as a central processor 80, system memory 82, removable storage 86 (e.g., CD-ROM drive), and a hard drive 84 which can be utilized to store and retrieve software programs incorporating computer code that implements aspects of the invention, data for use with the invention, and the like. The computer readable storage may also include tape, flash memory, or system memory. Additionally, a data signal embodied in a carrier wave (e.g., in a network including the Internet) may be the computer readable storage medium. The computer system 70 may further include a display screen, keyboard, and mouse which may include one or more buttons for interacting with a GUI (Graphical User Interface). Other computer systems suitable for use with the invention may include additional or fewer subsystems. For example, the computer system 70 may include more than one processor 80 (i.e., a multi-processor system) or a cache memory.
The system bus architecture of the computer system 70 is represented by arrows 88 in FIG. 5. However, these arrows are only illustrative of one possible interconnection scheme serving to link the subsystems. For example, a local bus may be utilized to connect the central processor 80 to the system memory 82. The components shown and described herein are those typically found in most general and special purpose computers and are intended to be representative of this broad category of data processors. The computer system 70 shown in FIG. 5 is only one example of a computer system suitable for use with the invention. Other computer architectures having different configurations of subsystems may also be utilized.
Communication between computers within the network is made possible with the use of communication protocols, which govern how computers exchange information over a network. The computer may include an input/output circuit used to communicate information in appropriately structured form to and from the parts of computer and associated equipment. Connected to the input/output circuit are inside and outside high speed Local Area Network interfaces 90, for example. The inside interface may be connected to a private network, while the outside interface may be connected to an external network such as the Internet. Preferably, each of these interfaces includes a plurality of ports appropriate for communication with the appropriate media, and associated logic, and in some instances memory.
As can be observed from the foregoing, the system and method of the present invention provide numerous advantages. The system and method of the present invention reduces downtime caused by undetected attacks, resulting in greater availability of systems to conduct internal operations and complete transactions over the Internet or other communication network.
Although the present invention has been described in accordance with the embodiments shown, one of ordinary skill in the art will readily recognize that there could be variations made to the embodiments without departing from the scope of the present invention. Accordingly, it is intended that all matter contained in the above description and shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense.

Claims (16)

1. An intrusion detection and analysis system comprising:
a data monitoring device comprising a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors;
an intrusion detection device separate from the data monitoring device, the intrusion detection device comprising a detection engine operable to perform intrusion detection on data provided by the data monitoring device;
application program interfaces configured to allow the intrusion detection device access to applications of the data monitoring device to perform intrusion detection; and
memory for storing reference network information used by the intrusion detection device to determine if an intrusion has occurred;
wherein the application program interfaces allow the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device.
2. The system of claim 1 wherein the reference network information comprises a signature database including signature profiles associated with a known network security violation and wherein the detection engine is operable to compare the data provided by the data monitoring device with the signature profiles to detect network intrusions.
3. The system of claim 2 further comprising a parser operable to parse, generate, and load signatures at the detection engine.
4. The system of claim 1 wherein the reference network information comprises a baseline state of network traffic and wherein the detect engine is operable to compare the data received by the capture engine to the baseline network state and look for anomalies.
5. The system of claim 4 wherein the data monitoring device provides the baseline state of network traffic.
6. The system of claim 1 further comprising a log file configured to at least temporarily store reports generated by the detect engine.
7. The system of claim 6 further comprising an alarm manager operable to generate alarms based on information generated by the log file.
8. The system of claim 1 further comprising a filter configured to filter out packets received at the data monitoring device.
9. The system of claim 1 wherein the capture engine is configured to forward packets and temporarily store packets for later analysis by the data monitoring device.
10. A method for performing intrusion detection with an intrusion detection and analysis system comprising a data monitoring device including a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors, and an intrusion detection device separate from the data monitoring device, the intrusion detection device coupled to the data monitoring device and configured to perform intrusion detection on data provided by the data monitoring device; the method comprising:
receiving data at the data monitoring device;
capturing at least a portion of the packets contained within the data;
by allowing the intrusion detection device to call at least one application program interface configured to open applications of the data monitoring device; and
performing intrusion detection at the intrusion detection device utilizing at least one of the applications of the data monitoring device;
wherein the at least one application program interface allows the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device.
11. The method of claim 10 further comprising filtering the data prior to capturing packets.
12. The method of claim 10 wherein performing intrusion detection comprises performing signature matching.
13. The method of claim 12 wherein the application program interfaces provide parsing of signatures used in signature matching.
14. The method of claim 10 wherein performing intrusion detection comprises detecting anomalies in the received data.
15. A computer program product for performing intrusion detection with an intrusion detection and analysis system comprising a data monitoring device including a capture engine operable to capture data passing through the network in response to a trigger and configured to monitor network traffic, decode protocols for grouping packets into different protocol presentations and assembling the packets into high level protocol groups, and analyze received data for managing the network by collecting statistics, and detecting broken lines, traffic loads, and network errors, and an intrusion detection device separate from the data monitoring device, the intrusion detection device coupled to the data monitoring device and configured to perform intrusion detection on data provided by the data monitoring device; the product comprising:
code that receives data at the data monitoring device;
code that captures at least a portion of the packets contained within the data;
code that calls at least one application program interface configured to open applications of the data monitoring device;
code that performs intrusion detection at the intrusion detection device utilizing at least one of the applications of the data monitoring device; and
a computer-readable storage medium for storing the codes;
wherein the at least one application program interface allows the intrusion detection device to leverage the separate data monitoring device, by allowing the intrusion detection device to call an application program interface configured to open a protocol decoding application associated with the separate data monitoring device, and by allowing the intrusion detection device to call an application program interface configured to open an alarm generation application associated with the separate data monitoring device.
16. The computer program product of claim 15 wherein the computer readable storage medium is selected from the group consisting of CD-ROM, floppy disk, tape, flash memory, system memory, and hard drive.
US10/091,645 2002-03-05 2002-03-05 Network intrusion detection and analysis system and method Active 2026-10-29 US7493659B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/091,645 US7493659B1 (en) 2002-03-05 2002-03-05 Network intrusion detection and analysis system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/091,645 US7493659B1 (en) 2002-03-05 2002-03-05 Network intrusion detection and analysis system and method

Publications (1)

Publication Number Publication Date
US7493659B1 true US7493659B1 (en) 2009-02-17

Family

ID=40349437

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/091,645 Active 2026-10-29 US7493659B1 (en) 2002-03-05 2002-03-05 Network intrusion detection and analysis system and method

Country Status (1)

Country Link
US (1) US7493659B1 (en)

Cited By (127)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050076228A1 (en) * 2003-10-02 2005-04-07 Davis John M. System and method for a secure I/O interface
US20050131876A1 (en) * 2003-12-10 2005-06-16 Ahuja Ratinder Paul S. Graphical user interface for capture system
US20050132198A1 (en) * 2003-12-10 2005-06-16 Ahuja Ratinder P.S. Document de-registration
US20050127171A1 (en) * 2003-12-10 2005-06-16 Ahuja Ratinder Paul S. Document registration
US20050132079A1 (en) * 2003-12-10 2005-06-16 Iglesia Erik D.L. Tag data structure for maintaining relational data over captured objects
US20050132034A1 (en) * 2003-12-10 2005-06-16 Iglesia Erik D.L. Rule parser
US20050166066A1 (en) * 2004-01-22 2005-07-28 Ratinder Paul Singh Ahuja Cryptographic policy enforcement
US20050177725A1 (en) * 2003-12-10 2005-08-11 Rick Lowe Verifying captured objects before presentation
US20050289181A1 (en) * 2004-06-23 2005-12-29 William Deninger Object classification in a capture system
US20060047675A1 (en) * 2004-08-24 2006-03-02 Rick Lowe File system for a capture system
US20060242705A1 (en) * 2005-04-26 2006-10-26 Cisco Technology, Inc. System and method for detection and mitigation of network worms
US20070036156A1 (en) * 2005-08-12 2007-02-15 Weimin Liu High speed packet capture
US20070050334A1 (en) * 2005-08-31 2007-03-01 William Deninger Word indexing in a capture system
US20070116366A1 (en) * 2005-11-21 2007-05-24 William Deninger Identifying image type in a capture system
US20070226504A1 (en) * 2006-03-24 2007-09-27 Reconnex Corporation Signature match processing in a document registration system
US20070271372A1 (en) * 2006-05-22 2007-11-22 Reconnex Corporation Locational tagging in a capture system
US20070271254A1 (en) * 2006-05-22 2007-11-22 Reconnex Corporation Query generation for a capture system
US20070276931A1 (en) * 2006-05-23 2007-11-29 Jamshid Mahdavi Systems and Methods for Protocol Detection in a Proxy
US20080127338A1 (en) * 2006-09-26 2008-05-29 Korea Information Security Agency System and method for preventing malicious code spread using web technology
US20090037582A1 (en) * 2007-07-31 2009-02-05 Morris Robert P Method And System For Managing Access To A Resource Over A Network Using Status Information Of A Principal
US20090113062A1 (en) * 2007-10-31 2009-04-30 Cisco Technology, Inc. Efficient network monitoring and control
US20090126004A1 (en) * 2006-03-23 2009-05-14 Ntt Communications Corporation Packet transfer device, packet transfer method, and program
US20090217369A1 (en) * 2005-05-04 2009-08-27 Telecom Italia S.P.A. Method and system for processing packet flows, and computer program product therefor
US20090254991A1 (en) * 2004-01-14 2009-10-08 International Business Machines Corporation Intrusion detection using a network processor and a parallel pattern detection engine
US20100011410A1 (en) * 2008-07-10 2010-01-14 Weimin Liu System and method for data mining and security policy management
US20100031308A1 (en) * 2008-02-16 2010-02-04 Khalid Atm Shafiqul Safe and secure program execution framework
US7730011B1 (en) 2005-10-19 2010-06-01 Mcafee, Inc. Attributes of captured objects in a capture system
US20100192212A1 (en) * 2009-01-28 2010-07-29 Gregory G. Raleigh Automated device provisioning and activation
US20100191732A1 (en) * 2004-08-23 2010-07-29 Rick Lowe Database for a capture system
US20100197267A1 (en) * 2009-01-28 2010-08-05 Headwater Partners I Llc Device group partitions and settlement platform
US20100287613A1 (en) * 2009-05-08 2010-11-11 Microsoft Corporation Sanitization of packets
US7958227B2 (en) 2006-05-22 2011-06-07 Mcafee, Inc. Attributes of captured objects in a capture system
WO2011077013A1 (en) * 2009-12-23 2011-06-30 Teknologian Tutkimuskeskus Vtt Intrusion detection in communication networks
US7984175B2 (en) 2003-12-10 2011-07-19 Mcafee, Inc. Method and apparatus for data capture and analysis system
US20120294158A1 (en) * 2011-05-16 2012-11-22 General Electric Company Systems, methods, and apparatus for network intrusion detection based on monitoring network traffic
US20120297483A1 (en) * 2011-05-16 2012-11-22 General Electric Company Systems, methods, and apparatus for network intrusion detection based on monitoring network traffic
US8448247B2 (en) * 2002-03-29 2013-05-21 Global Dataguard Inc. Adaptive behavioral intrusion detection systems and methods
US8447722B1 (en) 2009-03-25 2013-05-21 Mcafee, Inc. System and method for data mining and security policy management
US8473442B1 (en) 2009-02-25 2013-06-25 Mcafee, Inc. System and method for intelligent state management
US8504537B2 (en) 2006-03-24 2013-08-06 Mcafee, Inc. Signature distribution in a document registration system
US8589541B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Device-assisted services for protecting network capacity
US8606911B2 (en) 2009-03-02 2013-12-10 Headwater Partners I Llc Flow tagging for service policy implementation
US8626115B2 (en) 2009-01-28 2014-01-07 Headwater Partners I Llc Wireless network service interfaces
US8630630B2 (en) 2009-01-28 2014-01-14 Headwater Partners I Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US8635335B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc System and method for wireless network offloading
US8634805B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc Device assisted CDR creation aggregation, mediation and billing
US8634821B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc Device assisted services install
US20140052849A1 (en) * 2012-08-14 2014-02-20 Digicert, Inc. Sensor-based Detection and Remediation System
US8667121B2 (en) 2009-03-25 2014-03-04 Mcafee, Inc. System and method for managing data and policies
US8700561B2 (en) 2011-12-27 2014-04-15 Mcafee, Inc. System and method for providing data protection workflows in a network environment
US8706709B2 (en) 2009-01-15 2014-04-22 Mcafee, Inc. System and method for intelligent term grouping
US8725123B2 (en) 2008-06-05 2014-05-13 Headwater Partners I Llc Communications device with secure data path processing agents
US8745220B2 (en) 2009-01-28 2014-06-03 Headwater Partners I Llc System and method for providing user notifications
US8793758B2 (en) 2009-01-28 2014-07-29 Headwater Partners I Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US8806615B2 (en) 2010-11-04 2014-08-12 Mcafee, Inc. System and method for protecting specified data combinations
US8832777B2 (en) 2009-03-02 2014-09-09 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US8850591B2 (en) 2009-01-13 2014-09-30 Mcafee, Inc. System and method for concept building
US8868455B2 (en) 2009-01-28 2014-10-21 Headwater Partners I Llc Adaptive ambient services
US8893009B2 (en) 2009-01-28 2014-11-18 Headwater Partners I Llc End user device that secures an association of application to service policy with an application certificate check
US8898293B2 (en) 2009-01-28 2014-11-25 Headwater Partners I Llc Service offer set publishing to device agent with on-device service selection
US20140355412A1 (en) * 2013-06-03 2014-12-04 Telefonica Digital Espana, S.L.U. Computer implemented method for tracking and checking measures and computer programs thereof
US8924543B2 (en) 2009-01-28 2014-12-30 Headwater Partners I Llc Service design center for device assisted services
US8924469B2 (en) 2008-06-05 2014-12-30 Headwater Partners I Llc Enterprise access control and accounting allocation for access networks
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US20150106926A1 (en) * 2011-10-18 2015-04-16 Mcafee, Inc. User behavioral risk assessment
US9094311B2 (en) 2009-01-28 2015-07-28 Headwater Partners I, Llc Techniques for attribution of mobile device data traffic to initiating end-user application
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9154826B2 (en) 2011-04-06 2015-10-06 Headwater Partners Ii Llc Distributing content and service launch objects to mobile devices
US9198042B2 (en) 2009-01-28 2015-11-24 Headwater Partners I Llc Security techniques for device assisted services
US9247450B2 (en) 2009-01-28 2016-01-26 Headwater Partners I Llc Quality of service for device assisted services
US9253663B2 (en) 2009-01-28 2016-02-02 Headwater Partners I Llc Controlling mobile device communications on a roaming network based on device state
US9253154B2 (en) 2008-08-12 2016-02-02 Mcafee, Inc. Configuration management for a capture/registration system
US9331915B1 (en) * 2013-01-25 2016-05-03 Amazon Technologies, Inc. Dynamic network traffic mirroring
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9351193B2 (en) 2009-01-28 2016-05-24 Headwater Partners I Llc Intermediate networking devices
US9392462B2 (en) 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US20160269270A1 (en) * 2013-11-04 2016-09-15 Institut Mines-Telecom/Telecom Sudparis Architecture for testing protocols
US9557889B2 (en) 2009-01-28 2017-01-31 Headwater Partners I Llc Service plan design, user interfaces, application programming interfaces, and device management
US9565707B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Wireless end-user device with wireless data attribution to multiple personas
US9572019B2 (en) 2009-01-28 2017-02-14 Headwater Partners LLC Service selection set published to device agent with on-device service selection
US9571559B2 (en) 2009-01-28 2017-02-14 Headwater Partners I Llc Enhanced curfew and protection associated with a device group
US9578182B2 (en) 2009-01-28 2017-02-21 Headwater Partners I Llc Mobile device and service management
US9609510B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Automated credential porting for mobile devices
US9647918B2 (en) 2009-01-28 2017-05-09 Headwater Research Llc Mobile device and method attributing media services network usage to requesting application
US9706061B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Service design center for device assisted services
US9755842B2 (en) 2009-01-28 2017-09-05 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US9792432B2 (en) * 2012-11-09 2017-10-17 Nokia Technologies Oy Method and apparatus for privacy-oriented code optimization
US9832201B1 (en) 2016-05-16 2017-11-28 Bank Of America Corporation System for generation and reuse of resource-centric threat modeling templates and identifying controls for securing technology resources
US9858559B2 (en) 2009-01-28 2018-01-02 Headwater Research Llc Network service plan design
US9948652B2 (en) 2016-05-16 2018-04-17 Bank Of America Corporation System for resource-centric threat modeling and identifying controls for securing technology resources
US9954975B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Enhanced curfew and protection associated with a device group
US9955332B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US9980146B2 (en) 2009-01-28 2018-05-22 Headwater Research Llc Communications device with secure data path processing agents
US10003598B2 (en) 2016-04-15 2018-06-19 Bank Of America Corporation Model framework and system for cyber security services
US10057775B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US10063444B2 (en) 2016-02-29 2018-08-28 Red Hat, Inc. Network traffic capture analysis
US10064055B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10200541B2 (en) 2009-01-28 2019-02-05 Headwater Research Llc Wireless end-user device with divided user space/kernel space traffic policy system
US10237757B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc System and method for wireless network offloading
US10248996B2 (en) 2009-01-28 2019-04-02 Headwater Research Llc Method for operating a wireless end-user device mobile payment agent
US10264138B2 (en) 2009-01-28 2019-04-16 Headwater Research Llc Mobile device and service management
US10326800B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Wireless network service interfaces
US10339309B1 (en) 2017-06-09 2019-07-02 Bank Of America Corporation System for identifying anomalies in an information system
US10469523B2 (en) 2016-02-24 2019-11-05 Imperva, Inc. Techniques for detecting compromises of enterprise end stations utilizing noisy tokens
US10492102B2 (en) 2009-01-28 2019-11-26 Headwater Research Llc Intermediate networking devices
US10715342B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US10779177B2 (en) 2009-01-28 2020-09-15 Headwater Research Llc Device group partitions and settlement platform
US10783581B2 (en) 2009-01-28 2020-09-22 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US10798252B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc System and method for providing user notifications
US10805337B2 (en) 2014-12-19 2020-10-13 The Boeing Company Policy-based network security
CN111832027A (en) * 2020-06-29 2020-10-27 郑州云智信安安全技术有限公司 Network intrusion safety early warning system based on cloud computing
US10841839B2 (en) 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
CN112422567A (en) * 2020-11-18 2021-02-26 清创网御(合肥)科技有限公司 Network intrusion detection method for large flow
US20210084058A1 (en) * 2019-09-13 2021-03-18 iS5 Communications Inc. Machine learning based intrusion detection system for mission critical systems
US10965699B2 (en) * 2018-01-26 2021-03-30 Rapid7, Inc. Detecting anomalous network behavior
US11218854B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US11412366B2 (en) 2009-01-28 2022-08-09 Headwater Research Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US20220353157A1 (en) * 2017-05-15 2022-11-03 Microsoft Technology Licensing, Llc Techniques for detection and analysis of network assets under common management
US11588835B2 (en) 2021-05-18 2023-02-21 Bank Of America Corporation Dynamic network security monitoring system
US11792213B2 (en) 2021-05-18 2023-10-17 Bank Of America Corporation Temporal-based anomaly detection for network security
US11799879B2 (en) 2021-05-18 2023-10-24 Bank Of America Corporation Real-time anomaly detection for network security
US11923995B2 (en) 2020-11-23 2024-03-05 Headwater Research Llc Device-assisted services for protecting network capacity

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4714992A (en) 1985-11-26 1987-12-22 International Business Machines Corporation Communication for version management in a distributed information service
US5278901A (en) * 1992-04-30 1994-01-11 International Business Machines Corporation Pattern-oriented intrusion-detection system and method
US5414712A (en) 1991-07-23 1995-05-09 Progressive Computing, Inc. Method for transmitting data using a communication interface box
US5751698A (en) 1996-03-15 1998-05-12 Network General Technology Corporation System and method for automatically identifying and analyzing active channels in an ATM network
US5919257A (en) * 1997-08-08 1999-07-06 Novell, Inc. Networked workstation intrusion detection system
US6195352B1 (en) 1996-03-15 2001-02-27 Network Associates, Inc. System and method for automatically identifying and analyzing currently active channels in an ATM network
US6279113B1 (en) * 1998-03-16 2001-08-21 Internet Tools, Inc. Dynamic signature inspection-based network intrusion detection
US6321338B1 (en) * 1998-11-09 2001-11-20 Sri International Network surveillance
US20030101358A1 (en) * 2001-11-28 2003-05-29 Porras Phillip Andrew Application-layer anomaly and misuse detection
US6785821B1 (en) * 1999-01-08 2004-08-31 Cisco Technology, Inc. Intrusion detection system and method having dynamically loaded signatures
US6851061B1 (en) * 2000-02-16 2005-02-01 Networks Associates, Inc. System and method for intrusion detection data collection using a network protocol stack multiplexor

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4714992A (en) 1985-11-26 1987-12-22 International Business Machines Corporation Communication for version management in a distributed information service
US5414712A (en) 1991-07-23 1995-05-09 Progressive Computing, Inc. Method for transmitting data using a communication interface box
US5278901A (en) * 1992-04-30 1994-01-11 International Business Machines Corporation Pattern-oriented intrusion-detection system and method
US5751698A (en) 1996-03-15 1998-05-12 Network General Technology Corporation System and method for automatically identifying and analyzing active channels in an ATM network
US6195352B1 (en) 1996-03-15 2001-02-27 Network Associates, Inc. System and method for automatically identifying and analyzing currently active channels in an ATM network
US5919257A (en) * 1997-08-08 1999-07-06 Novell, Inc. Networked workstation intrusion detection system
US6279113B1 (en) * 1998-03-16 2001-08-21 Internet Tools, Inc. Dynamic signature inspection-based network intrusion detection
US6321338B1 (en) * 1998-11-09 2001-11-20 Sri International Network surveillance
US6785821B1 (en) * 1999-01-08 2004-08-31 Cisco Technology, Inc. Intrusion detection system and method having dynamically loaded signatures
US6851061B1 (en) * 2000-02-16 2005-02-01 Networks Associates, Inc. System and method for intrusion detection data collection using a network protocol stack multiplexor
US20030101358A1 (en) * 2001-11-28 2003-05-29 Porras Phillip Andrew Application-layer anomaly and misuse detection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Roesch, Martin, "Snort- Lightweight Intrusion Detection for Networks", Nov. 1999.

Cited By (353)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8448247B2 (en) * 2002-03-29 2013-05-21 Global Dataguard Inc. Adaptive behavioral intrusion detection systems and methods
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10050988B2 (en) 2003-07-01 2018-08-14 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9225686B2 (en) 2003-07-01 2015-12-29 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10154055B2 (en) 2003-07-01 2018-12-11 Securityprofiling, Llc Real-time vulnerability monitoring
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US20050076228A1 (en) * 2003-10-02 2005-04-07 Davis John M. System and method for a secure I/O interface
US20100169636A1 (en) * 2003-10-02 2010-07-01 Davis John M System and Method For a Secure I/O Interface
US8566612B2 (en) * 2003-10-02 2013-10-22 Exelis, Inc. System and method for a secure I/O interface
US7685436B2 (en) * 2003-10-02 2010-03-23 Itt Manufacturing Enterprises, Inc. System and method for a secure I/O interface
US20050132198A1 (en) * 2003-12-10 2005-06-16 Ahuja Ratinder P.S. Document de-registration
US20050131876A1 (en) * 2003-12-10 2005-06-16 Ahuja Ratinder Paul S. Graphical user interface for capture system
US20100268959A1 (en) * 2003-12-10 2010-10-21 Mcafee, Inc. Verifying Captured Objects Before Presentation
US20050177725A1 (en) * 2003-12-10 2005-08-11 Rick Lowe Verifying captured objects before presentation
US9374225B2 (en) 2003-12-10 2016-06-21 Mcafee, Inc. Document de-registration
US8762386B2 (en) 2003-12-10 2014-06-24 Mcafee, Inc. Method and apparatus for data capture and analysis system
US7814327B2 (en) 2003-12-10 2010-10-12 Mcafee, Inc. Document registration
US9092471B2 (en) 2003-12-10 2015-07-28 Mcafee, Inc. Rule parser
US20050127171A1 (en) * 2003-12-10 2005-06-16 Ahuja Ratinder Paul S. Document registration
US20050132079A1 (en) * 2003-12-10 2005-06-16 Iglesia Erik D.L. Tag data structure for maintaining relational data over captured objects
US8548170B2 (en) 2003-12-10 2013-10-01 Mcafee, Inc. Document de-registration
US8166307B2 (en) 2003-12-10 2012-04-24 McAffee, Inc. Document registration
US20110196911A1 (en) * 2003-12-10 2011-08-11 McAfee, Inc. a Delaware Corporation Tag data structure for maintaining relational data over captured objects
US7984175B2 (en) 2003-12-10 2011-07-19 Mcafee, Inc. Method and apparatus for data capture and analysis system
US8301635B2 (en) 2003-12-10 2012-10-30 Mcafee, Inc. Tag data structure for maintaining relational data over captured objects
US8656039B2 (en) 2003-12-10 2014-02-18 Mcafee, Inc. Rule parser
US8271794B2 (en) 2003-12-10 2012-09-18 Mcafee, Inc. Verifying captured objects before presentation
US7899828B2 (en) 2003-12-10 2011-03-01 Mcafee, Inc. Tag data structure for maintaining relational data over captured objects
US20050132034A1 (en) * 2003-12-10 2005-06-16 Iglesia Erik D.L. Rule parser
US7774604B2 (en) 2003-12-10 2010-08-10 Mcafee, Inc. Verifying captured objects before presentation
US20090254991A1 (en) * 2004-01-14 2009-10-08 International Business Machines Corporation Intrusion detection using a network processor and a parallel pattern detection engine
US8239945B2 (en) * 2004-01-14 2012-08-07 International Business Machines Corporation Intrusion detection using a network processor and a parallel pattern detection engine
US20110167265A1 (en) * 2004-01-22 2011-07-07 Mcafee, Inc., A Delaware Corporation Cryptographic policy enforcement
US8307206B2 (en) 2004-01-22 2012-11-06 Mcafee, Inc. Cryptographic policy enforcement
US7930540B2 (en) 2004-01-22 2011-04-19 Mcafee, Inc. Cryptographic policy enforcement
US20050166066A1 (en) * 2004-01-22 2005-07-28 Ratinder Paul Singh Ahuja Cryptographic policy enforcement
US7962591B2 (en) 2004-06-23 2011-06-14 Mcafee, Inc. Object classification in a capture system
US20050289181A1 (en) * 2004-06-23 2005-12-29 William Deninger Object classification in a capture system
US8560534B2 (en) 2004-08-23 2013-10-15 Mcafee, Inc. Database for a capture system
US20100191732A1 (en) * 2004-08-23 2010-07-29 Rick Lowe Database for a capture system
US20110167212A1 (en) * 2004-08-24 2011-07-07 Mcafee, Inc., A Delaware Corporation File system for a capture system
US7949849B2 (en) 2004-08-24 2011-05-24 Mcafee, Inc. File system for a capture system
US8707008B2 (en) 2004-08-24 2014-04-22 Mcafee, Inc. File system for a capture system
US20060047675A1 (en) * 2004-08-24 2006-03-02 Rick Lowe File system for a capture system
US8161554B2 (en) * 2005-04-26 2012-04-17 Cisco Technology, Inc. System and method for detection and mitigation of network worms
US20060242705A1 (en) * 2005-04-26 2006-10-26 Cisco Technology, Inc. System and method for detection and mitigation of network worms
US20090217369A1 (en) * 2005-05-04 2009-08-27 Telecom Italia S.P.A. Method and system for processing packet flows, and computer program product therefor
US7907608B2 (en) 2005-08-12 2011-03-15 Mcafee, Inc. High speed packet capture
US20110149959A1 (en) * 2005-08-12 2011-06-23 Mcafee, Inc., A Delaware Corporation High speed packet capture
US8730955B2 (en) 2005-08-12 2014-05-20 Mcafee, Inc. High speed packet capture
US20070036156A1 (en) * 2005-08-12 2007-02-15 Weimin Liu High speed packet capture
US20070050334A1 (en) * 2005-08-31 2007-03-01 William Deninger Word indexing in a capture system
US7818326B2 (en) 2005-08-31 2010-10-19 Mcafee, Inc. System and method for word indexing in a capture system and querying thereof
US20110004599A1 (en) * 2005-08-31 2011-01-06 Mcafee, Inc. A system and method for word indexing in a capture system and querying thereof
US8554774B2 (en) 2005-08-31 2013-10-08 Mcafee, Inc. System and method for word indexing in a capture system and querying thereof
US7730011B1 (en) 2005-10-19 2010-06-01 Mcafee, Inc. Attributes of captured objects in a capture system
US8176049B2 (en) 2005-10-19 2012-05-08 Mcafee Inc. Attributes of captured objects in a capture system
US8463800B2 (en) 2005-10-19 2013-06-11 Mcafee, Inc. Attributes of captured objects in a capture system
US20100185622A1 (en) * 2005-10-19 2010-07-22 Mcafee, Inc. Attributes of Captured Objects in a Capture System
US20070116366A1 (en) * 2005-11-21 2007-05-24 William Deninger Identifying image type in a capture system
US8200026B2 (en) 2005-11-21 2012-06-12 Mcafee, Inc. Identifying image type in a capture system
US20090232391A1 (en) * 2005-11-21 2009-09-17 Mcafee, Inc., A Delaware Corporation Identifying Image Type in a Capture System
US7657104B2 (en) 2005-11-21 2010-02-02 Mcafee, Inc. Identifying image type in a capture system
US20090126004A1 (en) * 2006-03-23 2009-05-14 Ntt Communications Corporation Packet transfer device, packet transfer method, and program
US8091136B2 (en) * 2006-03-23 2012-01-03 Ntt Communications Corporation Packet transfer device, packet transfer method, and program
US8504537B2 (en) 2006-03-24 2013-08-06 Mcafee, Inc. Signature distribution in a document registration system
US20070226504A1 (en) * 2006-03-24 2007-09-27 Reconnex Corporation Signature match processing in a document registration system
US8307007B2 (en) 2006-05-22 2012-11-06 Mcafee, Inc. Query generation for a capture system
US20110197284A1 (en) * 2006-05-22 2011-08-11 Mcafee, Inc., A Delaware Corporation Attributes of captured objects in a capture system
US8683035B2 (en) 2006-05-22 2014-03-25 Mcafee, Inc. Attributes of captured objects in a capture system
US8010689B2 (en) 2006-05-22 2011-08-30 Mcafee, Inc. Locational tagging in a capture system
US8005863B2 (en) 2006-05-22 2011-08-23 Mcafee, Inc. Query generation for a capture system
US7689614B2 (en) 2006-05-22 2010-03-30 Mcafee, Inc. Query generation for a capture system
US9094338B2 (en) 2006-05-22 2015-07-28 Mcafee, Inc. Attributes of captured objects in a capture system
US20070271254A1 (en) * 2006-05-22 2007-11-22 Reconnex Corporation Query generation for a capture system
US20100121853A1 (en) * 2006-05-22 2010-05-13 Mcafee, Inc., A Delaware Corporation Query generation for a capture system
US20070271372A1 (en) * 2006-05-22 2007-11-22 Reconnex Corporation Locational tagging in a capture system
US7958227B2 (en) 2006-05-22 2011-06-07 Mcafee, Inc. Attributes of captured objects in a capture system
US8793390B2 (en) * 2006-05-23 2014-07-29 Blue Coat Systems, Inc. Systems and methods for protocol detection in a proxy
US20070276931A1 (en) * 2006-05-23 2007-11-29 Jamshid Mahdavi Systems and Methods for Protocol Detection in a Proxy
US20080127338A1 (en) * 2006-09-26 2008-05-29 Korea Information Security Agency System and method for preventing malicious code spread using web technology
US20090037582A1 (en) * 2007-07-31 2009-02-05 Morris Robert P Method And System For Managing Access To A Resource Over A Network Using Status Information Of A Principal
US8195815B2 (en) * 2007-10-31 2012-06-05 Cisco Technology, Inc. Efficient network monitoring and control
US20090113062A1 (en) * 2007-10-31 2009-04-30 Cisco Technology, Inc. Efficient network monitoring and control
US20100031308A1 (en) * 2008-02-16 2010-02-04 Khalid Atm Shafiqul Safe and secure program execution framework
US8286219B2 (en) * 2008-02-16 2012-10-09 Xencare Software Inc. Safe and secure program execution framework
US8725123B2 (en) 2008-06-05 2014-05-13 Headwater Partners I Llc Communications device with secure data path processing agents
US8924469B2 (en) 2008-06-05 2014-12-30 Headwater Partners I Llc Enterprise access control and accounting allocation for access networks
US8635706B2 (en) 2008-07-10 2014-01-21 Mcafee, Inc. System and method for data mining and security policy management
US8601537B2 (en) 2008-07-10 2013-12-03 Mcafee, Inc. System and method for data mining and security policy management
US8205242B2 (en) 2008-07-10 2012-06-19 Mcafee, Inc. System and method for data mining and security policy management
US20100011410A1 (en) * 2008-07-10 2010-01-14 Weimin Liu System and method for data mining and security policy management
US9253154B2 (en) 2008-08-12 2016-02-02 Mcafee, Inc. Configuration management for a capture/registration system
US10367786B2 (en) 2008-08-12 2019-07-30 Mcafee, Llc Configuration management for a capture/registration system
US8850591B2 (en) 2009-01-13 2014-09-30 Mcafee, Inc. System and method for concept building
US8706709B2 (en) 2009-01-15 2014-04-22 Mcafee, Inc. System and method for intelligent term grouping
US9198074B2 (en) 2009-01-28 2015-11-24 Headwater Partners I Llc Wireless end-user device with differential traffic control policy list and applying foreground classification to roaming wireless data service
US9674731B2 (en) 2009-01-28 2017-06-06 Headwater Research Llc Wireless device applying different background data traffic policies to different device applications
US11757943B2 (en) 2009-01-28 2023-09-12 Headwater Research Llc Automated device provisioning and activation
US8667571B2 (en) 2009-01-28 2014-03-04 Headwater Partners I Llc Automated device provisioning and activation
US8666364B2 (en) 2009-01-28 2014-03-04 Headwater Partners I Llc Verifiable device assisted service usage billing with integrated accounting, mediation accounting, and multi-account
US8675507B2 (en) 2009-01-28 2014-03-18 Headwater Partners I Llc Service profile management with user preference, adaptive policy, network neutrality and user privacy for intermediate networking devices
US8640198B2 (en) 2009-01-28 2014-01-28 Headwater Partners I Llc Automated device provisioning and activation
US8688099B2 (en) 2009-01-28 2014-04-01 Headwater Partners I Llc Open development system for access service providers
US8695073B2 (en) 2009-01-28 2014-04-08 Headwater Partners I Llc Automated device provisioning and activation
US11750477B2 (en) 2009-01-28 2023-09-05 Headwater Research Llc Adaptive ambient services
US8639811B2 (en) 2009-01-28 2014-01-28 Headwater Partners I Llc Automated device provisioning and activation
US8639935B2 (en) 2009-01-28 2014-01-28 Headwater Partners I Llc Automated device provisioning and activation
US8713630B2 (en) 2009-01-28 2014-04-29 Headwater Partners I Llc Verifiable service policy implementation for intermediate networking devices
US8724554B2 (en) 2009-01-28 2014-05-13 Headwater Partners I Llc Open transaction central billing system
US8634821B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc Device assisted services install
US8634805B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc Device assisted CDR creation aggregation, mediation and billing
US8737957B2 (en) 2009-01-28 2014-05-27 Headwater Partners I Llc Automated device provisioning and activation
US8745220B2 (en) 2009-01-28 2014-06-03 Headwater Partners I Llc System and method for providing user notifications
US8745191B2 (en) 2009-01-28 2014-06-03 Headwater Partners I Llc System and method for providing user notifications
US8635335B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc System and method for wireless network offloading
US8788661B2 (en) 2009-01-28 2014-07-22 Headwater Partners I Llc Device assisted CDR creation, aggregation, mediation and billing
US8635678B2 (en) 2009-01-28 2014-01-21 Headwater Partners I Llc Automated device provisioning and activation
US8793758B2 (en) 2009-01-28 2014-07-29 Headwater Partners I Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US8797908B2 (en) 2009-01-28 2014-08-05 Headwater Partners I Llc Automated device provisioning and activation
US8799451B2 (en) 2009-01-28 2014-08-05 Headwater Partners I Llc Verifiable service policy implementation for intermediate networking devices
US11665186B2 (en) 2009-01-28 2023-05-30 Headwater Research Llc Communications device with secure data path processing agents
US11665592B2 (en) 2009-01-28 2023-05-30 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US8839387B2 (en) 2009-01-28 2014-09-16 Headwater Partners I Llc Roaming services network and overlay networks
US8839388B2 (en) 2009-01-28 2014-09-16 Headwater Partners I Llc Automated device provisioning and activation
US11589216B2 (en) 2009-01-28 2023-02-21 Headwater Research Llc Service selection set publishing to device agent with on-device service selection
US8630630B2 (en) 2009-01-28 2014-01-14 Headwater Partners I Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US8868455B2 (en) 2009-01-28 2014-10-21 Headwater Partners I Llc Adaptive ambient services
US8886162B2 (en) 2009-01-28 2014-11-11 Headwater Partners I Llc Restricting end-user device communications over a wireless access network associated with a cost
US8893009B2 (en) 2009-01-28 2014-11-18 Headwater Partners I Llc End user device that secures an association of application to service policy with an application certificate check
US8898079B2 (en) 2009-01-28 2014-11-25 Headwater Partners I Llc Network based ambient services
US8898293B2 (en) 2009-01-28 2014-11-25 Headwater Partners I Llc Service offer set publishing to device agent with on-device service selection
US8897743B2 (en) 2009-01-28 2014-11-25 Headwater Partners I Llc Verifiable device assisted service usage billing with integrated accounting, mediation accounting, and multi-account
US8897744B2 (en) 2009-01-28 2014-11-25 Headwater Partners I Llc Device assisted ambient services
US8903452B2 (en) 2009-01-28 2014-12-02 Headwater Partners I Llc Device assisted ambient services
US11582593B2 (en) 2009-01-28 2023-02-14 Head Water Research Llc Adapting network policies based on device service processor configuration
US11570309B2 (en) 2009-01-28 2023-01-31 Headwater Research Llc Service design center for device assisted services
US8924543B2 (en) 2009-01-28 2014-12-30 Headwater Partners I Llc Service design center for device assisted services
US8924549B2 (en) * 2009-01-28 2014-12-30 Headwater Partners I Llc Network based ambient services
US8630611B2 (en) 2009-01-28 2014-01-14 Headwater Partners I Llc Automated device provisioning and activation
US8948025B2 (en) 2009-01-28 2015-02-03 Headwater Partners I Llc Remotely configurable device agent for packet routing
US11563592B2 (en) 2009-01-28 2023-01-24 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US8630617B2 (en) 2009-01-28 2014-01-14 Headwater Partners I Llc Device group partitions and settlement platform
US11538106B2 (en) 2009-01-28 2022-12-27 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US9014026B2 (en) 2009-01-28 2015-04-21 Headwater Partners I Llc Network based service profile management with user preference, adaptive policy, network neutrality, and user privacy
US9026079B2 (en) 2009-01-28 2015-05-05 Headwater Partners I Llc Wireless network service interfaces
US9037127B2 (en) 2009-01-28 2015-05-19 Headwater Partners I Llc Device agent for remote user configuration of wireless network access
US9094311B2 (en) 2009-01-28 2015-07-28 Headwater Partners I, Llc Techniques for attribution of mobile device data traffic to initiating end-user application
US8631102B2 (en) 2009-01-28 2014-01-14 Headwater Partners I Llc Automated device provisioning and activation
US8630192B2 (en) 2009-01-28 2014-01-14 Headwater Partners I Llc Verifiable and accurate service usage monitoring for intermediate networking devices
US8626115B2 (en) 2009-01-28 2014-01-07 Headwater Partners I Llc Wireless network service interfaces
US11533642B2 (en) 2009-01-28 2022-12-20 Headwater Research Llc Device group partitions and settlement platform
US8588110B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Verifiable device assisted service usage billing with integrated accounting, mediation accounting, and multi-account
US8589541B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Device-assisted services for protecting network capacity
US8583781B2 (en) 2009-01-28 2013-11-12 Headwater Partners I Llc Simplified service network architecture
US8570908B2 (en) 2009-01-28 2013-10-29 Headwater Partners I Llc Automated device provisioning and activation
US9137701B2 (en) 2009-01-28 2015-09-15 Headwater Partners I Llc Wireless end-user device with differentiated network access for background and foreground device applications
US9137739B2 (en) 2009-01-28 2015-09-15 Headwater Partners I Llc Network based service policy implementation with network neutrality and user privacy
US9143976B2 (en) 2009-01-28 2015-09-22 Headwater Partners I Llc Wireless end-user device with differentiated network access and access status for background and foreground device applications
US11516301B2 (en) 2009-01-28 2022-11-29 Headwater Research Llc Enhanced curfew and protection associated with a device group
US9154428B2 (en) 2009-01-28 2015-10-06 Headwater Partners I Llc Wireless end-user device with differentiated network access selectively applied to different applications
US9173104B2 (en) 2009-01-28 2015-10-27 Headwater Partners I Llc Mobile device with device agents to detect a disallowed access to a requested mobile data service and guide a multi-carrier selection and activation sequence
US9179359B2 (en) 2009-01-28 2015-11-03 Headwater Partners I Llc Wireless end-user device with differentiated network access status for different device applications
US9179308B2 (en) 2009-01-28 2015-11-03 Headwater Partners I Llc Network tools for analysis, design, testing, and production of services
US9179315B2 (en) 2009-01-28 2015-11-03 Headwater Partners I Llc Mobile device with data service monitoring, categorization, and display for different applications and networks
US9179316B2 (en) 2009-01-28 2015-11-03 Headwater Partners I Llc Mobile device with user controls and policy agent to control application access to device location data
US9198076B2 (en) 2009-01-28 2015-11-24 Headwater Partners I Llc Wireless end-user device with power-control-state-based wireless network access policy for background applications
US9198042B2 (en) 2009-01-28 2015-11-24 Headwater Partners I Llc Security techniques for device assisted services
US8548428B2 (en) 2009-01-28 2013-10-01 Headwater Partners I Llc Device group partitions and settlement platform
US11494837B2 (en) 2009-01-28 2022-11-08 Headwater Research Llc Virtualized policy and charging system
US9198075B2 (en) 2009-01-28 2015-11-24 Headwater Partners I Llc Wireless end-user device with differential traffic control policy list applicable to one of several wireless modems
US9198117B2 (en) 2009-01-28 2015-11-24 Headwater Partners I Llc Network system with common secure wireless message service serving multiple applications on multiple wireless devices
US9204374B2 (en) 2009-01-28 2015-12-01 Headwater Partners I Llc Multicarrier over-the-air cellular network activation server
US9204282B2 (en) 2009-01-28 2015-12-01 Headwater Partners I Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US9215159B2 (en) 2009-01-28 2015-12-15 Headwater Partners I Llc Data usage monitoring for media data services used by applications
US9215613B2 (en) 2009-01-28 2015-12-15 Headwater Partners I Llc Wireless end-user device with differential traffic control policy list having limited user control
US9220027B1 (en) 2009-01-28 2015-12-22 Headwater Partners I Llc Wireless end-user device with policy-based controls for WWAN network usage and modem state changes requested by specific applications
US11477246B2 (en) 2009-01-28 2022-10-18 Headwater Research Llc Network service plan design
US9225797B2 (en) 2009-01-28 2015-12-29 Headwater Partners I Llc System for providing an adaptive wireless ambient service to a mobile device
US9232403B2 (en) 2009-01-28 2016-01-05 Headwater Partners I Llc Mobile device with common secure wireless message service serving multiple applications
US9247450B2 (en) 2009-01-28 2016-01-26 Headwater Partners I Llc Quality of service for device assisted services
US9253663B2 (en) 2009-01-28 2016-02-02 Headwater Partners I Llc Controlling mobile device communications on a roaming network based on device state
US11425580B2 (en) 2009-01-28 2022-08-23 Headwater Research Llc System and method for wireless network offloading
US9258735B2 (en) 2009-01-28 2016-02-09 Headwater Partners I Llc Device-assisted services for protecting network capacity
US9270559B2 (en) 2009-01-28 2016-02-23 Headwater Partners I Llc Service policy implementation for an end-user device having a control application or a proxy agent for routing an application traffic flow
US9271184B2 (en) 2009-01-28 2016-02-23 Headwater Partners I Llc Wireless end-user device with per-application data limit and traffic control policy list limiting background application traffic
US9277433B2 (en) 2009-01-28 2016-03-01 Headwater Partners I Llc Wireless end-user device with policy-based aggregation of network activity requested by applications
US9277445B2 (en) 2009-01-28 2016-03-01 Headwater Partners I Llc Wireless end-user device with differential traffic control policy list and applying foreground classification to wireless data service
US11412366B2 (en) 2009-01-28 2022-08-09 Headwater Research Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US9319913B2 (en) 2009-01-28 2016-04-19 Headwater Partners I Llc Wireless end-user device with secure network-provided differential traffic control policy list
US11405224B2 (en) 2009-01-28 2022-08-02 Headwater Research Llc Device-assisted services for protecting network capacity
US20130006729A1 (en) * 2009-01-28 2013-01-03 Headwater Partners I Llc Network Based Ambient Services
US9351193B2 (en) 2009-01-28 2016-05-24 Headwater Partners I Llc Intermediate networking devices
US11405429B2 (en) 2009-01-28 2022-08-02 Headwater Research Llc Security techniques for device assisted services
US9386165B2 (en) 2009-01-28 2016-07-05 Headwater Partners I Llc System and method for providing user notifications
US9386121B2 (en) 2009-01-28 2016-07-05 Headwater Partners I Llc Method for providing an adaptive wireless ambient service to a mobile device
US9392462B2 (en) 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US11363496B2 (en) 2009-01-28 2022-06-14 Headwater Research Llc Intermediate networking devices
US11337059B2 (en) 2009-01-28 2022-05-17 Headwater Research Llc Device assisted services install
US9491199B2 (en) 2009-01-28 2016-11-08 Headwater Partners I Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US9491564B1 (en) 2009-01-28 2016-11-08 Headwater Partners I Llc Mobile device and method with secure network messaging for authorized components
US9521578B2 (en) 2009-01-28 2016-12-13 Headwater Partners I Llc Wireless end-user device with application program interface to allow applications to access application-specific aspects of a wireless network access policy
US9532161B2 (en) 2009-01-28 2016-12-27 Headwater Partners I Llc Wireless device with application data flow tagging and network stack-implemented network access policy
US9532261B2 (en) 2009-01-28 2016-12-27 Headwater Partners I Llc System and method for wireless network offloading
US9544397B2 (en) 2009-01-28 2017-01-10 Headwater Partners I Llc Proxy server for providing an adaptive wireless ambient service to a mobile device
US9557889B2 (en) 2009-01-28 2017-01-31 Headwater Partners I Llc Service plan design, user interfaces, application programming interfaces, and device management
US9565543B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Device group partitions and settlement platform
US9565707B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Wireless end-user device with wireless data attribution to multiple personas
US9572019B2 (en) 2009-01-28 2017-02-14 Headwater Partners LLC Service selection set published to device agent with on-device service selection
US9571559B2 (en) 2009-01-28 2017-02-14 Headwater Partners I Llc Enhanced curfew and protection associated with a device group
US9578182B2 (en) 2009-01-28 2017-02-21 Headwater Partners I Llc Mobile device and service management
US9591474B2 (en) 2009-01-28 2017-03-07 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US11228617B2 (en) 2009-01-28 2022-01-18 Headwater Research Llc Automated device provisioning and activation
US9609544B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Device-assisted services for protecting network capacity
US9609459B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Network tools for analysis, design, testing, and production of services
US9609510B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Automated credential porting for mobile devices
US9615192B2 (en) 2009-01-28 2017-04-04 Headwater Research Llc Message link server with plural message delivery triggers
US11218854B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US9641957B2 (en) 2009-01-28 2017-05-02 Headwater Research Llc Automated device provisioning and activation
US11219074B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Enterprise access control and accounting allocation for access networks
US9647918B2 (en) 2009-01-28 2017-05-09 Headwater Research Llc Mobile device and method attributing media services network usage to requesting application
US11190545B2 (en) 2009-01-28 2021-11-30 Headwater Research Llc Wireless network service interfaces
US9705771B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Attribution of mobile device data traffic to end-user application based on socket flows
US9706061B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Service design center for device assisted services
US9749899B2 (en) 2009-01-28 2017-08-29 Headwater Research Llc Wireless end-user device with network traffic API to indicate unavailability of roaming wireless connection to background applications
US9749898B2 (en) 2009-01-28 2017-08-29 Headwater Research Llc Wireless end-user device with differential traffic control policy list applicable to one of several wireless modems
US9755842B2 (en) 2009-01-28 2017-09-05 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US9769207B2 (en) 2009-01-28 2017-09-19 Headwater Research Llc Wireless network service interfaces
US11190427B2 (en) 2009-01-28 2021-11-30 Headwater Research Llc Flow tagging for service policy implementation
US11190645B2 (en) 2009-01-28 2021-11-30 Headwater Research Llc Device assisted CDR creation, aggregation, mediation and billing
US11134102B2 (en) 2009-01-28 2021-09-28 Headwater Research Llc Verifiable device assisted service usage monitoring with reporting, synchronization, and notification
US9819808B2 (en) 2009-01-28 2017-11-14 Headwater Research Llc Hierarchical service policies for creating service usage data records for a wireless end-user device
US11096055B2 (en) 2009-01-28 2021-08-17 Headwater Research Llc Automated device provisioning and activation
US9858559B2 (en) 2009-01-28 2018-01-02 Headwater Research Llc Network service plan design
US9866642B2 (en) 2009-01-28 2018-01-09 Headwater Research Llc Wireless end-user device with wireless modem power state control policy for background applications
US9942796B2 (en) 2009-01-28 2018-04-10 Headwater Research Llc Quality of service for device assisted services
US11039020B2 (en) 2009-01-28 2021-06-15 Headwater Research Llc Mobile device and service management
US9954975B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Enhanced curfew and protection associated with a device group
US9955332B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US9973930B2 (en) 2009-01-28 2018-05-15 Headwater Research Llc End user device that secures an association of application to service policy with an application certificate check
US9980146B2 (en) 2009-01-28 2018-05-22 Headwater Research Llc Communications device with secure data path processing agents
US10985977B2 (en) 2009-01-28 2021-04-20 Headwater Research Llc Quality of service for device assisted services
US10869199B2 (en) 2009-01-28 2020-12-15 Headwater Research Llc Network service plan design
US10028144B2 (en) 2009-01-28 2018-07-17 Headwater Research Llc Security techniques for device assisted services
US10855559B2 (en) 2009-01-28 2020-12-01 Headwater Research Llc Adaptive ambient services
US10057141B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Proxy system and method for adaptive ambient services
US10057775B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US10848330B2 (en) 2009-01-28 2020-11-24 Headwater Research Llc Device-assisted services for protecting network capacity
US10064033B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Device group partitions and settlement platform
US10064055B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10070305B2 (en) 2009-01-28 2018-09-04 Headwater Research Llc Device assisted services install
US10080250B2 (en) 2009-01-28 2018-09-18 Headwater Research Llc Enterprise access control and accounting allocation for access networks
US10841839B2 (en) 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US20100197267A1 (en) * 2009-01-28 2010-08-05 Headwater Partners I Llc Device group partitions and settlement platform
US10165447B2 (en) 2009-01-28 2018-12-25 Headwater Research Llc Network service plan design
US10171681B2 (en) 2009-01-28 2019-01-01 Headwater Research Llc Service design center for device assisted services
US10171990B2 (en) 2009-01-28 2019-01-01 Headwater Research Llc Service selection set publishing to device agent with on-device service selection
US10834577B2 (en) 2009-01-28 2020-11-10 Headwater Research Llc Service offer set publishing to device agent with on-device service selection
US10171988B2 (en) 2009-01-28 2019-01-01 Headwater Research Llc Adapting network policies based on device service processor configuration
US10200541B2 (en) 2009-01-28 2019-02-05 Headwater Research Llc Wireless end-user device with divided user space/kernel space traffic policy system
US10237146B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc Adaptive ambient services
US10237773B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc Device-assisted services for protecting network capacity
US10237757B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc System and method for wireless network offloading
US10248996B2 (en) 2009-01-28 2019-04-02 Headwater Research Llc Method for operating a wireless end-user device mobile payment agent
US10264138B2 (en) 2009-01-28 2019-04-16 Headwater Research Llc Mobile device and service management
US10803518B2 (en) 2009-01-28 2020-10-13 Headwater Research Llc Virtualized policy and charging system
US10320990B2 (en) 2009-01-28 2019-06-11 Headwater Research Llc Device assisted CDR creation, aggregation, mediation and billing
US10321320B2 (en) 2009-01-28 2019-06-11 Headwater Research Llc Wireless network buffered message system
US10326800B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Wireless network service interfaces
US10326675B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Flow tagging for service policy implementation
US10798252B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc System and method for providing user notifications
US10798254B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc Service design center for device assisted services
US20100192212A1 (en) * 2009-01-28 2010-07-29 Gregory G. Raleigh Automated device provisioning and activation
US10798558B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc Adapting network policies based on device service processor configuration
US10462627B2 (en) 2009-01-28 2019-10-29 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US10791471B2 (en) 2009-01-28 2020-09-29 Headwater Research Llc System and method for wireless network offloading
US10492102B2 (en) 2009-01-28 2019-11-26 Headwater Research Llc Intermediate networking devices
US10783581B2 (en) 2009-01-28 2020-09-22 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US10536983B2 (en) 2009-01-28 2020-01-14 Headwater Research Llc Enterprise access control and accounting allocation for access networks
US10582375B2 (en) 2009-01-28 2020-03-03 Headwater Research Llc Device assisted services install
US10779177B2 (en) 2009-01-28 2020-09-15 Headwater Research Llc Device group partitions and settlement platform
US10681179B2 (en) 2009-01-28 2020-06-09 Headwater Research Llc Enhanced curfew and protection associated with a device group
US10694385B2 (en) 2009-01-28 2020-06-23 Headwater Research Llc Security techniques for device assisted services
US10715342B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US10716006B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc End user device that secures an association of application to service policy with an application certificate check
US10749700B2 (en) 2009-01-28 2020-08-18 Headwater Research Llc Device-assisted services for protecting network capacity
US10771980B2 (en) 2009-01-28 2020-09-08 Headwater Research Llc Communications device with secure data path processing agents
US9602548B2 (en) 2009-02-25 2017-03-21 Mcafee, Inc. System and method for intelligent state management
US8473442B1 (en) 2009-02-25 2013-06-25 Mcafee, Inc. System and method for intelligent state management
US9195937B2 (en) 2009-02-25 2015-11-24 Mcafee, Inc. System and method for intelligent state management
US8606911B2 (en) 2009-03-02 2013-12-10 Headwater Partners I Llc Flow tagging for service policy implementation
US8832777B2 (en) 2009-03-02 2014-09-09 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US8447722B1 (en) 2009-03-25 2013-05-21 Mcafee, Inc. System and method for data mining and security policy management
US8918359B2 (en) 2009-03-25 2014-12-23 Mcafee, Inc. System and method for data mining and security policy management
US9313232B2 (en) 2009-03-25 2016-04-12 Mcafee, Inc. System and method for data mining and security policy management
US8667121B2 (en) 2009-03-25 2014-03-04 Mcafee, Inc. System and method for managing data and policies
US8954725B2 (en) 2009-05-08 2015-02-10 Microsoft Technology Licensing, Llc Sanitization of packets
US20100287613A1 (en) * 2009-05-08 2010-11-11 Microsoft Corporation Sanitization of packets
US8839430B2 (en) 2009-12-23 2014-09-16 Teknologian Tutkimuskeskus Vtt Intrusion detection in communication networks
WO2011077013A1 (en) * 2009-12-23 2011-06-30 Teknologian Tutkimuskeskus Vtt Intrusion detection in communication networks
US11316848B2 (en) 2010-11-04 2022-04-26 Mcafee, Llc System and method for protecting specified data combinations
US9794254B2 (en) 2010-11-04 2017-10-17 Mcafee, Inc. System and method for protecting specified data combinations
US8806615B2 (en) 2010-11-04 2014-08-12 Mcafee, Inc. System and method for protecting specified data combinations
US10313337B2 (en) 2010-11-04 2019-06-04 Mcafee, Llc System and method for protecting specified data combinations
US10666646B2 (en) 2010-11-04 2020-05-26 Mcafee, Llc System and method for protecting specified data combinations
US9154826B2 (en) 2011-04-06 2015-10-06 Headwater Partners Ii Llc Distributing content and service launch objects to mobile devices
US20120297483A1 (en) * 2011-05-16 2012-11-22 General Electric Company Systems, methods, and apparatus for network intrusion detection based on monitoring network traffic
US20120294158A1 (en) * 2011-05-16 2012-11-22 General Electric Company Systems, methods, and apparatus for network intrusion detection based on monitoring network traffic
US10505965B2 (en) 2011-10-18 2019-12-10 Mcafee, Llc User behavioral risk assessment
US20150106926A1 (en) * 2011-10-18 2015-04-16 Mcafee, Inc. User behavioral risk assessment
US9648035B2 (en) * 2011-10-18 2017-05-09 Mcafee, Inc. User behavioral risk assessment
US9635047B2 (en) 2011-10-18 2017-04-25 Mcafee, Inc. User behavioral risk assessment
US8700561B2 (en) 2011-12-27 2014-04-15 Mcafee, Inc. System and method for providing data protection workflows in a network environment
US9430564B2 (en) 2011-12-27 2016-08-30 Mcafee, Inc. System and method for providing data protection workflows in a network environment
US9769046B2 (en) * 2012-08-14 2017-09-19 Digicert, Inc. Sensor-based detection and remediation system
US20140052849A1 (en) * 2012-08-14 2014-02-20 Digicert, Inc. Sensor-based Detection and Remediation System
US9792432B2 (en) * 2012-11-09 2017-10-17 Nokia Technologies Oy Method and apparatus for privacy-oriented code optimization
US9331915B1 (en) * 2013-01-25 2016-05-03 Amazon Technologies, Inc. Dynamic network traffic mirroring
US11743717B2 (en) 2013-03-14 2023-08-29 Headwater Research Llc Automated credential porting for mobile devices
US10834583B2 (en) 2013-03-14 2020-11-10 Headwater Research Llc Automated credential porting for mobile devices
US10171995B2 (en) 2013-03-14 2019-01-01 Headwater Research Llc Automated credential porting for mobile devices
US20140355412A1 (en) * 2013-06-03 2014-12-04 Telefonica Digital Espana, S.L.U. Computer implemented method for tracking and checking measures and computer programs thereof
US20160269270A1 (en) * 2013-11-04 2016-09-15 Institut Mines-Telecom/Telecom Sudparis Architecture for testing protocols
US10374932B2 (en) * 2013-11-04 2019-08-06 Institut Mines-Telecom/Telecom Sudparis Architecture for testing protocols
US10805337B2 (en) 2014-12-19 2020-10-13 The Boeing Company Policy-based network security
US10469523B2 (en) 2016-02-24 2019-11-05 Imperva, Inc. Techniques for detecting compromises of enterprise end stations utilizing noisy tokens
US10063444B2 (en) 2016-02-29 2018-08-28 Red Hat, Inc. Network traffic capture analysis
US10355961B2 (en) 2016-02-29 2019-07-16 Red Hat, Inc. Network traffic capture analysis
US10003598B2 (en) 2016-04-15 2018-06-19 Bank Of America Corporation Model framework and system for cyber security services
US9832201B1 (en) 2016-05-16 2017-11-28 Bank Of America Corporation System for generation and reuse of resource-centric threat modeling templates and identifying controls for securing technology resources
US9948652B2 (en) 2016-05-16 2018-04-17 Bank Of America Corporation System for resource-centric threat modeling and identifying controls for securing technology resources
US20220353157A1 (en) * 2017-05-15 2022-11-03 Microsoft Technology Licensing, Llc Techniques for detection and analysis of network assets under common management
US11848830B2 (en) * 2017-05-15 2023-12-19 Microsoft Technology Licensing, Llc Techniques for detection and analysis of network assets under common management
US10339309B1 (en) 2017-06-09 2019-07-02 Bank Of America Corporation System for identifying anomalies in an information system
US10965699B2 (en) * 2018-01-26 2021-03-30 Rapid7, Inc. Detecting anomalous network behavior
US11374954B1 (en) * 2018-01-26 2022-06-28 Rapid7, Inc. Detecting anomalous network behavior
US20210084058A1 (en) * 2019-09-13 2021-03-18 iS5 Communications Inc. Machine learning based intrusion detection system for mission critical systems
US11621970B2 (en) * 2019-09-13 2023-04-04 Is5 Communications, Inc. Machine learning based intrusion detection system for mission critical systems
CN111832027A (en) * 2020-06-29 2020-10-27 郑州云智信安安全技术有限公司 Network intrusion safety early warning system based on cloud computing
CN112422567B (en) * 2020-11-18 2022-11-15 清创网御(合肥)科技有限公司 Network intrusion detection method oriented to large flow
CN112422567A (en) * 2020-11-18 2021-02-26 清创网御(合肥)科技有限公司 Network intrusion detection method for large flow
US11923995B2 (en) 2020-11-23 2024-03-05 Headwater Research Llc Device-assisted services for protecting network capacity
US11588835B2 (en) 2021-05-18 2023-02-21 Bank Of America Corporation Dynamic network security monitoring system
US11792213B2 (en) 2021-05-18 2023-10-17 Bank Of America Corporation Temporal-based anomaly detection for network security
US11799879B2 (en) 2021-05-18 2023-10-24 Bank Of America Corporation Real-time anomaly detection for network security

Similar Documents

Publication Publication Date Title
US7493659B1 (en) Network intrusion detection and analysis system and method
US7424744B1 (en) Signature based network intrusion detection system and method
US7197762B2 (en) Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits
US20030188189A1 (en) Multi-level and multi-platform intrusion detection and response system
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
US20050182950A1 (en) Network security system and method
US20030084319A1 (en) Node, method and computer readable medium for inserting an intrusion prevention system into a network stack
US20030097557A1 (en) Method, node and computer readable medium for performing multiple signature matching in an intrusion prevention system
CN100435513C (en) Method of linking network equipment and invading detection system
US20060161816A1 (en) System and method for managing events
US20030084321A1 (en) Node and mobile device for a mobile telecommunications network providing intrusion detection
US20030084328A1 (en) Method and computer-readable medium for integrating a decode engine with an intrusion detection system
Stiawan et al. The trends of intrusion prevention system network
US7836503B2 (en) Node, method and computer readable medium for optimizing performance of signature rule matching in a network
Debar et al. Intrusion detection: Introduction to intrusion detection and security information management
US20030084344A1 (en) Method and computer readable medium for suppressing execution of signature file directives during a network exploit
Shah et al. Signature-based network intrusion detection system using SNORT and WINPCAP
KR20020072618A (en) Network based intrusion detection system
KR20140078329A (en) Method and apparatus for defensing local network attacks
Lee et al. Automated Intrusion Detection Using NFR: Methods and Experiences.
Mallissery et al. Survey on intrusion detection methods
Resmi et al. Intrusion detection system techniques and tools: A survey
CN113360907A (en) Hacker intrusion prevention method based on IDES and NIDES
Abudalfa et al. Evaluating performance of supervised learning techniques for developing real-time intrusion detection system
Karthikeyan et al. Network Intrusion Detection System Based on Packet Filters

Legal Events

Date Code Title Description
AS Assignment

Owner name: NETWORKS ASSOCIATES TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WU, HANDONG;FREEDMAN, JEROME;IVORY, CHRISTOPHER J.;REEL/FRAME:012678/0136;SIGNING DATES FROM 20020222 TO 20020228

AS Assignment

Owner name: MCAFEE, INC., CALIFORNIA

Free format text: MERGER;ASSIGNOR:NETWORKS ASSOCIATES TECHNOLOGY, INC.;REEL/FRAME:016646/0513

Effective date: 20041119

Owner name: MCAFEE, INC.,CALIFORNIA

Free format text: MERGER;ASSIGNOR:NETWORKS ASSOCIATES TECHNOLOGY, INC.;REEL/FRAME:016646/0513

Effective date: 20041119

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

REMI Maintenance fee reminder mailed
FPAY Fee payment

Year of fee payment: 4

SULP Surcharge for late payment
FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918

Effective date: 20161220

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045056/0676

Effective date: 20170929

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045055/0786

Effective date: 20170929

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:054206/0593

Effective date: 20170929

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:055854/0047

Effective date: 20170929

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786;ASSIGNOR:JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:054238/0001

Effective date: 20201026

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT;REEL/FRAME:059354/0213

Effective date: 20220301

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:059354/0335

Effective date: 20220301

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT, NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:060792/0307

Effective date: 20220301